neconyd | b97438ab261c8e334e6d6d20ab8480264b33f0749d991d04694a1de8e291dc73

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 02:13

Target

34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe
Size

84KB
MD5

34da1b0e0844725559275ea4a55c52b0
SHA1

a691fbc42323ee7bd15a424001093383b1c77c41
SHA256

b97438ab261c8e334e6d6d20ab8480264b33f0749d991d04694a1de8e291dc73
SHA512

5078694fe7c6d73c43e9a351e027dc6aa03b0643ba22f6d3832920a4f159a11a918cdcbd4bfcad598eeffddd2b8511398a9e7d888161bef34354869e5132fc45
SSDEEP

768:UMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:UbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1200	1264	34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe	89
PID 1264 wrote to memory of 1200	1264	34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe	89
PID 1264 wrote to memory of 1200	1264	34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe	89
PID 1200 wrote to memory of 1048	1200	omsecor.exe	98
PID 1200 wrote to memory of 1048	1200	omsecor.exe	98
PID 1200 wrote to memory of 1048	1200	omsecor.exe	98
PID 1048 wrote to memory of 2276	1048	omsecor.exe	99
PID 1048 wrote to memory of 2276	1048	omsecor.exe	99
PID 1048 wrote to memory of 2276	1048	omsecor.exe	99

C:\Users\Admin\AppData\Local\Temp\34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3892,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
1⤵
PID:4052

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
29cfae38bace22130ce859e97f333148

SHA1
749ce429a0c0a6e1f602501f7579cdbe2f879d1a

SHA256
910628595d7d00d423783f84e1a14416a2223c4173c02a200128c3e4abd93ca4

SHA512
0e91b36f1ae3e0e96c25d87ecc4e048d7d580dfae51a0e3097d1da1193a59d12dd2c9d3a745f51826b44d467737fdfacdf48077538e2257417811463cf1b791a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
324045731cc5e0659c56f82aaa2a1b18

SHA1
479711e87e126c9f300208df4c0ee2a589203d71

SHA256
e6a447dfbe0793b7614da4e68c3eaa1fa40a093cdf9db27140b1287e8e09b085

SHA512
b8f6f042b99aa82a7b9df33ce2b54482d3d0ec9852a30c99e60335203f80d2fd4d5c326770296dd0ff079246eeab9337ef85bd4503b50768c6c8cf93091e2ffb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
7180892e8d14400c7806c8e71da448ce

SHA1
d38e582fa96efde66defe31b279019babbae03ea

SHA256
bfc236c7a6eab2b24ab58262c26a6b2de02e2ff0b7ce1faa16aedc70b5e4b4a9

SHA512
32f52d8caeb2577d29f7c254b478655bb542221b71fdd0dbfb0bc83e99e367dbd7eb4734c2cf69a67ed2b50a0ed102e68b5819e7e994222eac697c7bd1d17b94

Download Submit